Right to Privacy vis-à-vis age of Information Technology

This article was written by Shubham Patel, a student of Dr. Ram Manohar Lohiya National Law University, Lucknow

Humans have a tendency to keep things, which are private, away from the public gaze. The question keeps to arise that, There is a right to live, but is there a right to privacy? If there is, what is the scope and parameters of this right?

A very interesting development in the Indian Constitutional jurisprudence is the extended dimensions given to Art. 21 by the Hon’ble Supreme Court in post-Maneka Gandhi case era. The Supreme Court has asserted that Art. 21 is the spirit of the Fundamental Rights. Art. 21 has been proved to be multi-dimensional. The extension in the dimensions of Art.21 has been made possible by giving an extended meaning to the word ‘life’ and ‘liberty’ in Art. 21. These two words in Art. 21 are not to be read narrowly. These are organic terms which are to be construed meaningfully.

With the growth, the society shifted towards the instruments of technology and in the present day context the entire data of a person can be traced online, the drawback of this reliance on technology is that the privacy of a person has grown more prone to the attacks and being manipulated, the rights which a person enjoys to protect his privacy in this technologically driven age have became inherently important.

Concepts of Right to Privacy

International

Right to Privacy is a cherished right which is recognized and followed in all the developed and modern nations, several conventions have also recognized it as a basic human right.

Article 12, Universal Declaration of Human Rights (1948): “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.” Article 17 of International Covenant on Civil and Political Rights and Article 8 of European Convention on Human Rights, talk on the same lines with the only exceptions being the well being of the state in the later case.

Lord Denning has forcefully argued for the recognition of a right to privacy,[1] “English law should recognize a right to privacy. Any infringement of it should give a cause of action for damages or an injunction as the case may require.

India

In India the Right to Privacy is not expressly contained under any provision of the constitution, since 1960s, the Indian judiciary, has dealt with the issue of privacy, and recognized it under the thread of being both a fundamental right under the Constitution as well as a common law right, but at the same time refrained from defining it in iron-clad terms, the Courts have preferred to have it evolve on a case by case basis, instead, and on that basis only the right has evolved.

The first time rose in the case of Kharak Singh v State of Uttar Pradesh,[2] in this case the domiciliary visits of police officers was contended to be unconstitutional and against Article 21, the court observed that “It is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.” Marking it as an early recognition of privacy as a fundamental right, The same question was raised once again in Govind v State of Madhya Pradesh,[3] but the court here favored the right to privacy, and the sole restriction was placed on the basis of compelling Public Interest.

The issue of balancing the right to privacy and right to speech came in front of Supreme Court in case of R. Rajagopal v. State of Tamil Nadu[4], or as it popularly known as Auto Shankar case, the Supreme Court recognized the right and said, The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a “right to be let alone”.

Mr. X v Hospital’Z’,[5]was another landmark case where the court said that though the alleged hospital violated the right to privacy of the person but the same was for well being and health of person he was going to marry same was not wrong.

In several other cases it was held by the court that the telephone conversation if tapped would amount to violation of Right to Privacy, cases like R.M Malkani v. State of Maharashtra[6]and People’s Union for Civil Liberties (PUCL) v. Union of India[7], are on the same lines.

Thus it can be seen that the judiciary has dealt with the matters relating to the right to privacy in a case to case manner and it has grown and evolved over the time.

The Right to Privacy Bill

The Bill provides for a statutory right to privacy for Indian citizens and endeavors to protect this right by regulating the use and collection of personal information. The statutory right to privacy is made subject to laws in force at the time or orders of courts, and will includes confidentiality of communication, private life, financial transactions, medical and legal information, protection from identity theft and use of photographs, fingerprints, DNA samples and privacy from surveillance.

The Bill defines ‘interception of communication’ as being inclusive of stopping or intercepting any communication and detention of any such communication and sets out a large number of procedural safeguards to regulate the interception of communications under Section 5(2) of The Telegraph Act, 1885. Surveillance, whether by electronic or other means that would reveal private or personal information or adversely affect the individual’s right to privacy is prohibited by the Bill. The government can, however, undertake surveillance of a person upon the occurrence of any public emergency, in the interest of public safety or for the purpose of preventing crime or disorder. This prohibition would undoubtedly apply to any sting operation that might be undertaken by the media. There are also provisions prohibiting the revelation of citizens’ personal information in the form of photographs, fingerprints and DNA samples of health information, by other persons or by a government officer in public so as to adversely affect the citizen’s right to privacy, which amount to a civil wrong. Personal data can be collected only with the consent of the data subject in accordance with the provisions of laws in force. The Bill also allows the data subject to restrict data processing for the purposes of ‘unsolicited commercial communication.’

The bill provides for establishing a Data Protection Authority of India which would deal and enforce compliance in the matters related to data, monitor developments in technology to ensure that there is no adverse effect on the protection of data, evaluate laws that are in force at the time and recommend appropriate measures to ensure that they conform with the requirements of this Bill. It also provides for setting up a National Data Control Registry to facilitate the efficient data entry by the Data Controllers. The Cyber Regulations Appellate Tribunal, which was established under the Information Technology Act 2000, is tasked with adjudicating the matter of conflict arising between the data collectors and the individuals, and entertains appeals arising from action of authorities. Those who have suffered may also initiate civil or criminal proceedings too.

Right to Privacy and Information Technology

Information and Communications Technologies (ICTs) have greatly enhanced our capacities to collect, store, process and communicate information, it is ironic that these very capacities of technology make us vulnerable to intrusions of our privacy on a previously impossible scale. In fact, it is possible for the smallest of businesses and even for the individuals (for example through networking sites) to collect and analyse detailed information about identifiable individuals almost anywhere in the world. The data collected proves extremely valuable to businesses for understanding tastes and preferences of consumers.

Two issues are involved—excessive data collection and manipulation of the collected data. Data are being collected voluntarily as well as involuntarily. In the former case, personal information is given in the process of filling registration forms etc. for various reasons with the erroneous belief that it will be confined to the purposes for which it is being given whereas involuntary internet disclosures usually entail some sort of surreptitious tracking. The most common methods are the gathering of click stream data and the use of cookies. Web bugs, spyware and workplace monitor are some of the other agents responsible for disclosure of information without the consent of the data subject. Most of the innocent users are unaware of the fact that their data is secretly collected. Data collected for one purpose is used for another without the permission of the data subject and the result is unsolicited and unwanted communications to the data subjects via emails, phone calls etc. There are cases of alteration of data by which data subject may suffer unnecessary harassment.

Data may be defined as a representation of information. In the cyber world, data signifies that information which is prepared in a formalised manner and processed in the computer system or computer network. It may be stored in the memory of the computer or in any other form. In the individual context, data may be classified as “Personal Data” and “Sensitive Personal Data”. The former relates to the data by which a particular person can be identified with the help of information like identification number or with the help of the factors specific to an individual like physical, physiological, mental, economic, cultural or social identity. Sensitive data reveal the racial or ethnic origin of the data subject or his/her political opinion, religious beliefs, mental health, sexual life and information regarding membership of a trade union. Further, European data protection law recognises the concepts of anonymous and pseudonymous data. Data protection law signifies the rights of the data subject and responsibilities of the data collector and data controller.

Hearing about phishing scams, hoax email scams and hacking and privacy theft have became the order of the day, all these scams are targeted to extract the personal information of the user and then use it against his will, usually for monetary gains to be extracted from.

In India the IT Act of 2000, looks into these issue and provides the citizens a road map to enter into legal action against the one who has violated their right.

The Civil Remedies for Data Protection under IT Act: Section 43-A provides for compensatory liability of the body corporate dealing with sensitive personal data or information. Section 43-A reads as follows—

“Compensation for failure to protect data—Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.”

At a cursory glance, it appears to address several long-standing concerns relating to data protection in India. In fact, under most international data protection statutes, the person in “control” of the data is liable for the consequences of disclosure, loss or unauthorised access to such information. This ensures that liability is restricted to those who actually have the ability to control the manner in which the data is treated. However, under the new provisions of the IT Act, the mere possession of information and its subsequent misuse would render any person who possesses this data liable to pay damages. While there is likely to be a debate on what constitutes possession and how this differs from control, there can be little doubt that by referring to “possession” in addition to “operation” and “control”, the IT Act has widened the net considerably.

However, there are several limitations in the IT Act, which could affect the development of data protection jurisprudence in the country. Firstly, unlike international practice, data are not classified in different levels requiring different treatment. Section 43-A only talks about “sensitive personal data or information” and does not lay down how personal data deemed to be sensitive is to be treated. Besides, the Act also fails to categorise criteria for determining sensitive personal data and it is left to the whim of the Central Government in consultation with professional bodies. Secondly, liability may be imposed on body corporate only if it is found to be negligent in implementing its security practices and procedures in relation to the data possessed, controlled or handled by it. In this regard, it is important to analyse the term “negligence.” According to the IT Act, the liability arises only if there is “wrongful loss” in one side and “wrongful gain” takes place in the other side. But, these terms are neither defined in statutes nor established through judicial precedents in the civil context and are generally applied for imposing criminal liability.

The Criminal Remedies for Unlawful Disclosure of Information: Section 72-A provides for punishment for disclosure of personal information in breach of lawful contract with the intention or knowledge likely to cause wrongful loss or wrongful gain. Section 72-A is worded as follows—

“Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to rupees five lakh, or with both.”

This provision is also not free from error. It talks about protection of “personal information” but the term itself is not defined in the Act. Therefore, it is difficult to assess the scope of the subject matter. Besides, this section seems to apply only in respect of personal information obtained under a contract for services and thus literally does not apply to confidential agreement, which is not of personal nature like the Technology Licence Agreement.

Moreover, Section 66-E provides for violation of privacy. It lays down punishment for a person who intentionally or knowingly publishes or transmits the image of the private area of any person without his/her consent. This section is relevant for online data protection because data includes information and it hardly needs any mentioning that images and pictures are often the subject of misuse on the internet. Other notable provisions dealing with data protection are tampering with computer source documents, sending offensive messages through communication device, dishonestly receiving stolen computer resource, identity theft and cheating by impersonation.

UIDAI or Adhaar scheme is gaining profound importance and is also used to provide people with subsidies and other beneficial schemes, the masses are also urged to link up their bank accounts with the Adhaar cards, but this development can be contended to be against the right to privacy of the person, as this violates the right to privacy of the person, the biometric data of the person is collected in order to make a Adhaar card and the same was done by people hired on the Ad hoc basis, so this can considered to be harmful as there was no proper method by which only the authorized people were appointed to deal with such a sensitive issue. Moreover all this data could likely be lost or stolen putting the person’s privacy into jeopardy.

Conclusion

By giving information, we may end up compromising some of our rights (for example, the right to privacy). Manipulation of data is growing at a rapid pace as the virtual world is moving at a lightning speed. The surveillance potential of powerful computer systems prompted demands for specific rules governing the collection and handling of personal information. But, India still lags behind in terms of proper Data Protection Laws. Thus, the law regarding protection of data has not kept pace with the technological development. combined or integrated approach is often most effective and therefore, desirable.

Two conflicting interests are involved—on one hand, there is the “right to know” under the speech and expression clause guaranteed by Article 19 of the Constitution of India while on the other hand, there is the “right to be left alone” or the right not to share personal information under the right to privacy which flows from right to personal liberty under Article 21. A law pertaining to data protection should primarily reconcile these conflicting interests as none of the said rights is absolute in nature. It is high time that Indian legislature takes some positive steps because cyberspace has come to stay. Work also needs to be done in terms of making the users aware of the issues involved, communicating and educating them regarding the proper usage and adoption of the proper handling procedures so that the society at large can reap the benefits of a new revolution.

In this day and age, this right is becoming more essential as every day passes. With all our lives being splattered over the media be it through social networking sites or the spy cameras, we need protection so that we can function in a way we want to and not think of others before our actions. After all, the only ones we owe an explanation to is ourselves, and not to the entire world